ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company is migrating its MySQL-based payment application to Amazon RDS. To comply with PCI DSS requirement 3.4, you must ensure that stored primary account numbers (PAN) are unreadable while making no application-code changes. The chosen approach must also provide centralized key management and support automatic key rotation with minimal operational effort. Which solution best satisfies these objectives?
Launch the RDS instance without encryption, store PAN in plaintext, and restrict access using IAM roles and VPC security groups.
Hash each PAN with unsalted SHA-1 in the application and save the hash to an Amazon S3 bucket that has versioning disabled.
Enable encryption at rest when creating the Amazon RDS MySQL instance, selecting a customer managed AWS KMS key that is configured for annual rotation, and store PAN directly in the database.
Modify the application to encrypt PAN with 3DES before inserting it into RDS, keeping the encryption key in local EC2 configuration files.
PCI DSS requirement 3.4 mandates that stored PAN be rendered unreadable, typically through strong encryption combined with proper key management. Enabling Amazon RDS encryption with a customer managed AWS KMS key meets this by encrypting all database files, automated backups, snapshots, and replicas without code modification. A customer managed CMK integrates with AWS KMS, offers centralized lifecycle control, and can be set to rotate automatically every year, fulfilling PCI DSS key-management expectations with little ongoing effort.
Restricting access to plaintext data, using weak or improperly stored encryption (such as 3DES with keys in configuration files), or relying on unsalted SHA-1 hashes in S3 all fail PCI DSS 3.4 because they either leave PAN unencrypted, use deprecated algorithms, lack proper key management, or move data outside the intended database. Therefore, enabling RDS encryption with a customer managed, rotating KMS key is the only option that aligns with both the encryption and key-management requirements while avoiding application changes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI DSS requirement 3.4?
Open an interactive chat with Bash
How does AWS KMS support encryption and key rotation?
Open an interactive chat with Bash
Why is 3DES encryption or unsalted SHA-1 hashing unsuitable for PCI DSS compliance?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .